Data transmission system

ABSTRACT

In an electronic system for the transmission of data between a plurality of stations the control signals and functions of the basic elements of power supply, watchdog and signal converter in each station are linked to one another so as to ensure that the number of possible modes of operation, taken for all the elements, is reduced to a number necessary for the corresponding task and thereby guarantees a more reliable operation. Moreover, the linkage leads to an optimum default behavior of the station with regard to application-specific power-saving and safety requirements, even when, for example, the malfunction of the microcontroller of the station persists.

BACKGROUND OF THE INVENTION

The invention relates to an electronic system for transmitting databetween a plurality of stations which are interconnected via a commonbus.

In known systems of the type defined in the opening paragraph at leastsome of the stations have a microcontroller which controls the stationsand is connected to the bus via an interface circuit constructed as atransmit/receive circuit, hereinafter also referred to as "signalconverter", so as to transmit and receive information via this bus. Thesystems often also include a timing circuit, hereinafter referred to as"watchdog", which circuit supplies a signal to the microcontroller whenit has not received a signal from the microcontroller for a time longerthan a given duration. These elements, or at least some of them, arepowered via a voltage regulator circuit when, for example in the case ofautomotive use, the available voltage is higher than the operatingvoltage of the elements. Under given conditions the microcontroller canset all the elements of the stations to a power-saving mode ofoperation, for example to spare a battery forming the power source, orthe station can be restored to a normal mode of operation by localevents or by signals via the bus.

External disturbances or disturbances in individual elements may giverise to undesired operating conditions. It is customary that themicrocontroller detects any undesired operating conditions and takessteps to reset the station to an operating condition which is useful forthe application. The microcontroller is again monitored by the watchdogand is reset to a well-defined initial state by means of a reset signalin the event of a malfunction.

An important drawback is that a continuously malfunctioningmicrocontroller, which neither operates correctly in the initial state,can no longer set the other elements to a well-defined default operatingcondition and, under given circumstances, the entire system with aplurality of stations will fail. The same situation arises when, forexample, only the power supply to the microcontroller fails. Apart fromfailure of the entire system, effects may arise which are unfavorablefor the application.

A further drawback is that in such situations the microcontroller can nolonger set the relevant station to a power-saving mode because theserial data or information transmitted for this purpose via the systemcan no longer be evaluated in the station itself.

SUMMARY OF THE INVENTION

It is an object of the invention to provide a system in which, even inthe case of continuous malfunctioning of the relevant microcontroller, astation is autonomously set to a default operating condition which isuseful for the application.

According to the invention this object is achieved by means of thecharacteristic features defined in claim 1.

The principle underlying the invention is that the microcontroller isoperated with the highest possible degree of reliability and, ifnecessary, can thus set all the other elements to an appropriate defaultmode, and that in the case of failure of the microcontroller itself theremaining elements in a self-contained and automatic manner establish adefault mode which is optimized for the application, i.e. specificallyas regards the safety requirements of the application, the power-savingrequirement and the adverse effect on the entire system. Of specialimportance in this respect is the fixed invariable logic linkage betweensignals and hence between functions of the individual elements, as ispossible for example by monolithic integration of the elements. Thisprinciple can be implemented in an effective manner for concrete casesof use.

In one embodiment the watchdog and the second voltage regulator arelinked to one another in such a manner that upon a first reset signalfrom the watchdog, for example as a result of a software error, thesecond voltage regulator initially remains in the state previouslydefined by the microcontroller and in the case of a repeated reset, forexample owing to a continuous malfunction of the microcontroller, thesecond voltage regulator is turned off, so as to ensure thatsubsequently the application-specific elements of the station are notpowered and, consequently, not operated in an uncontrolled manner.Alternatively, the second voltage regulator may already be turned offimmediately upon the first reset.

In a further embodiment the watchdog links the two supply voltages andthe signal converter to one another in such a manner that in the case ofa continuous malfunction of the microcontroller, detected on the basisof repeated resets, the two power supplies and the signal converter areturned off when in an extended function the watchdog ascertains that nomore serial data have been transmitted for a given time interval and theentire system is obviously in a power-saving mode, so that also in thecase of the defective station the power saving requirement is met.

In a further embodiment the watchdog and the second voltage regulatorare linked to one another in such a manner that the second voltageregulator cannot be activated by the microcontroller (trigger) untilafter at least one successive reset operation of the watchdog, so thatthe application-specific elements cannot be operated in an uncontrolledmanner during the starting phase of the microcontroller and also instarting phases of the microcontroller which are prolonged as a resultof faults.

In a further embodiment the watchdog and the one supply voltage arelinked to one another in such a manner that in an extended function theone supply voltage can be activated cyclically from a power saving modeand can thus wake up the entire station, so as to guarantee some basicfunctions of the station and at the same time save power.

In a further embodiment the signal converter and the one supply voltageare linked to one another in such a manner that in its power-saving modethe signal converter is still capable of monitoring the activities asregards the transmission of serial data in the system and is capable ofwaking up its associated station by automatic activation of the onesupply voltage in response to a wake-up request transmitted from anotherstation.

In a further embodiment the watchdog, the two supply voltages and thesignal converter are linked to one another in such a manner that in thecase of changes of the modes of operation of the stations these arecontrolled, preferably by means of a control signal, in such a way thatthe specific modes of operation of the individual elements change onlyjointly and simultaneously, as a result of which undesired transientmodes are precluded and the requirements imposed on the application asregards safety and power saving are met, which signal can take the formof a serial or parallel control signal defined by known safetyprocedures and applied to an integrated element comprising theindividual basic elements.

In a further embodiment the watchdog, the signal converter and aseparate circuit for the detection of local wake-up requests are linkedto one another in such a manner that, depending on whether the stationis in a standby mode or in a power-saving mode, the cyclic, the localand the transmitted wake-up conditions are converted into

a notification of the microcontroller, for example by interrupts in thecase of a correct progress of the program,

a reset of the microcontroller to its initial state and, consequently, arestart of the program,

in order to achieve that the station is woken up as rapidly as possibledepending on the instantaneous operational state.

In a further embodiment the watchdog, the signal converter and anadditional monitoring circuit are linked to one another in such a mannerthat after a restart of the program cycle in the microcontroller thecause and source of the reset can be determined, and the microcontrollercan thus determine the history before the reset and can optimize theprogram cycle, for example by skipping a learning operation and canoptimize the data management, for example by again using previouslygenerated data, the detection of reset sources taking intoconsideration, for example:

an initial system start after a first connection to the input voltage,

a reset of the watchdog during monitoring of the program cycle,

a reset for the cyclic wake-up of the system from a standby mode orpower-saving mode by means of an extended function of the watchdog,

a reset by a wake-up request in response to a request transmitted to thestation by the application,

a reset based on undervoltage conditions imposed on a supply voltage andhence on the microcontroller power supply,

a reset as a new start attempt from a default mode which has beensustained for given time, for example because of an excess temperature,

a reset by way of default measure when the microcontroller has notresponded to an interrupt.

In a further embodiment the watchdog, the signal converter and anadditional monitoring circuit are linked to one another in such a mannerthat actions initiated by warning functions, error indications and resetsources of the individual elements, in view of the action to be taken inorder to set the entire station to a default mode, can be divided in anapplication-oriented manner into

a notification of the microcontroller, for example by interrupts in thecase of a correct progress of the program,

a reset of the microcontroller to its initial state and, consequently, arestart of the program,

a permanent reset of the microcontroller, and an automatic andself-contained set-up of the station to the default mode which is mostuseful for the application by means of the remaining elements.

The linking of the various control signals and functions of theindividual basic elements as well as the default mode can be programmedin an application-specific manner by means of non-volatile memories onan integrated circuit.

Advantages obtained by linking the functions and control signals of theindividual basic elements are

a self-contained reset behavior which is optimal for the application,even in the case of a continuous malfunction of the microcontroller,

secure power saving as a result of an autonomous turn-off even in thecase of a faulty microcontroller,

a more reliable operation of the system as a result of the securereduction of the number of possible operating conditions in a station,

further optimized operational program flow as result of reset sourcedetection,

well-defined system starts as a result of microcontroller-independentmonitoring of the supply voltages,

better possibilities of realizing quiescent current concepts.

Embodiments of the invention will be described in more detail, by way ofexamples, with reference to the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a station in accordance with theinvention, and

FIGS. 2 3 and 4 are diagrams of state transitions.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

By way of example an application in the field of automotive electronicsis described.

In the present application a system of up to 30 stations forms anetwork, each of the individual stations performing differentsecurity-related tasks, while the entire system should be optimized withrespect to its power consumption so as to ensure that the battery of theon-board power supply is not drained excessively even in the case ofcomparatively long parking periods.

The secure operation is achieved by the reliable operation of thestation and by its well-defined default behavior in the case of faults.For this purpose, each station employs an integrated element whose basicelements include a watchdog, two supply voltages and a signal converter.

As a first measure the control signals of the individual elements on theintegrated circuit are linked to one another so as to allow only theseven operating conditions of a complete station which are required forthe application, three of the seven operating conditions being modes ofoperation for the application:

normal operation (NB),

standby operation (BB)

power-saving operation (SB),

and the four start or default conditions,

the cold start (KS),

the warm start (WS),

power-on default operation (VR),

power-off default operation (UR).

As required by the application, the stations change over between normaloperation and power-saving operation or standby operation, thechange-over to normal operation being faster and the power saving beingsmaller in the standby mode than in the power-saving mode.

The reduction of the possible operating conditions is achieved in thatthe individual elements can be set only jointly to another operatingcondition by means of a single serial code word from the microcontrollerto the integrated circuit.

The linkage enables the optimum default behavior for the application tobe determined and a self-contained default behavior to be establishedeven in the case of a continuously malfunctioning microcontroller.

FIG. 1 is a block diagram of a station in accordance with the invention.This station includes an integrated circuit 10 comprising some elementsto be described hereinafter, and a microcontroller 40 connected to theintegrated circuit 10 and also constructed as an integrated circuit inthe customary manner. Via a connection 41 the microcontroller 40controls peripheral circuits 42, which depend on the application andwhich may include, for example, switches for loads of comparatively highpower. The integrated circuit 10 is further connected to a bus 6, towhich further stations are connected, and has an input 7 via whichso-called wake-up requests are applied, which issue for example frommanually operated switches or from sensors. Via a terminal 9 theintegrated circuit 10 receives an operating voltage which is higher thanthat required for the power supply of the microcontroller 40, theperipheral circuit 42 and given elements of the integrated circuit 10.

The supply voltage VB is applied to two voltage regulators 12 and 14 toderive the lower supply voltage for the relevant circuits. The voltageregulator 12 generates a voltage V1, which is only applied to themicrocontroller 40 via a line 13. The voltage regulator 14 generates avoltage V2, which is applied to a transmit-receive circuit 20 within heintegrated circuit 10 and also to the peripheral circuit 42. The voltageregulators 12 and 14 can be turned off individually or jointly by amonitoring circuit 22 via the line 23.

The integrated circuit 10 further includes an oscillator 18, whichcontrols a watchdog timing circuit 16. The watchdog can alternatively bearranged outside the integrated circuit 10, preferably in themicrocontroller. Moreover, there has been provided an interface circuit28, which receives control words from the microcontroller 40 or whichspecifically transmits status words. A reset control circuit 24generates a reset signal or an interrupt signal for the microcontroller40 on the line 25 or it receives from this microcontroller a restartsignal, which restarts the monitoring period. A circuit 26 converts thewake-up signals received via the input 7 or from the transmit-receivecircuit 20 into control signals for the control circuit 24.

The watchdog 16 is connected to the interface circuit 28 via theconnection 17c to enable it to be set to given monitoring periods bycontrol words from the microcontroller 40 and to enable the settings ofthe monitoring periods and, if applicable, any further conditions to bereported to the microcontroller. Furthermore, the watchdog circuit 16 isconnected to the control circuit 24 via a connection 17a in order totransmit to this circuit reset signals or interrupt signals for themicrocontroller 40 or in order to receive a restart signal from themicrocontroller. Moreover, the watchdog circuit 16 is connected to themonitoring circuit 22 via a connection 17b in order to turn on or turnoff the voltage regulators 12 and 14 via this monitoring circuit. Inaddition, the interface circuit 28 is connected to the monitoringcircuit 22 so as to allow the voltage regulators 12 and 14 to be alsoturned off by control signals from the microcontroller 40.

The monitoring circuit 22 monitors the non-regulated input voltage andcan thus detect whether the voltage has been doubled by "jump-starting"and application-related elements should be protected by disabling them.Moreover, the monitoring circuit detects the loss of the input voltageby means of the attendant sudden voltage drop, as a result of which thestation still can store any volatile data and terminate the program in asensible manner, a local energy buffer providing the power supply to thestation for the last-mentioned operations before a final loss of thesupply voltage. Furthermore, the monitoring circuit can detect atemporary drop in the input voltage as a result of overloading, forexample when the engine is started, so that the station can turn offapplication-related loads in order to spare the battery.

The transmit-receive circuit 20 is connected to the microcontroller 40via a connection 21 to supply the data received from the bus to themicrocontroller or to receive the data transmitted by the latter.

The elements 16, 18, 22, 24 and 26 are essentially powered with thesupply voltage VB, so that they are constantly active, even when thevoltage regulators 12 and 14 are inoperative.

FIGS. 2 to 4 graphically represent the operating conditions, where V1represents the supply voltage for the microcontroller and V2 the supplyvoltage for the periphery and the signal converter and can be turned onand turned off. In normal operation the signal converter (SF) cantransmit and receive serial data and in its power-saving mode (standby)it can only receive wake-up requests. Moreover, the signal converter canpresent a high impedance with respect to the lines to other stations inthe system. In normal operation the watchdog (WD) has short periods forsoftware monitoring as well as long and very long periods for the cyclicwake-up of the station from the standby mode and the power-saving mode,respectively. Moreover, the watchdog monitors the microcontroller aftera reset (starting).

In this embodiment the various self-monitoring functions, warningfunctions and reset sources are divided into

warning functions by means of interrupts when the microcontroller is notimpaired in its program execution, for example

jump start,

voltage drop of the input voltage,

early voltage loss,

fault in signal converter,

excess-temperature message as an early warning for an overtemperaturecut-out,

undervoltage for the other supply voltage,

and default functions through reset when the microcontroller operationis impaired temporarily, for example in the case of

temporary errors in the program execution,

unanswered warning interrupt,

unanswered wake-up interrupt,

unanswered warm start, for example as wake-up, and autonomousmicrocontroller-independent permanent default operation in the case ofmicrocontroller failure, for example in the case of persistent incorrectsupply voltage at the microcontroller, unanswered cold or warm start ofthe microcontroller, overtemperature cut-out (protection againstself-destruction of the integrated components).

In FIG. 2 the state numbers have the following meanings

50 mode change; only in NB, BB and SB by the microcontroller,

51 NB with V1, V2 on, SF normal, WD normal/off,

52 BB with V1 on, V2 on/off, SF standby, WD long/off,

53 SB with V1 off, V2 off, SF standby, WD very long/off,

54 WS with V1 on, V2 as before, SF as before, WD starting for resetpulses,

55 KS with V1 on, V2 off, SF=standby, WD starting, reset=V1 controlled(for Wdh. ->pulse),

56 UR with V1 off, V2 off, SF in high-impedance state, WD off,

57 INT,

58 any state,

and the transition numbers denote

61 SCW,

62 INT masked wake-up requirement (if wake-up requests are neither INTmasked nor RESET masked: default to RESET),

63 no SCW in WD period,

64 RESET masked wake-up request, RESET masked cyclic start by WD,

65 all local wake-up requests, transmitted wake-up request, cyclicwake-up by WD,

66 initial power supply of integrated components,

67 loss of supply voltage to integrated components.

In FIG. 3 the following state number in addition has the meaning

59 VR with V1 off, V2 off, SF standby, WD off,

and the transition numbers denote

68 WD overflow (normal),

69 WD overflow (starting),

70 undervoltage V1,

71 overtemperature cut-out,

72 no wake-up request for a long time or overtemperature cut-out,

73 wake-up request (if previous state "KS") or overtemperatureprotection no longer necessary.

In FIG. 4 the following state number in addition has the meaning 50achange of mode, the microcontroller itself being capable of selecting anarbitrary default behavior,

and the transitions denote

74 masked interrupts: errors in SF, V2 undervoltage, jump start,overtemperature warning, interrupt at terminal 30,

75 masked interrupts,

76 SCW (also cancels interrupt),

77 no SCW within WD period

78 no wake-up request for a long time,

79 wake-up request.

In all the figures the references have the following means SCW serialcode word for selection of the mode of operation and triggering of theWD,

NB normal operation,

BB standby operation,

SB power-saving operation,

WS warm start without change of V1,

KS cold start, possibly with V1 running up,

UR non-powered default operation,

SF signal converter for serial data,

WD watchdog for program monitoring,

V1 supply voltage of the microcontroller,

V2 supply voltage of the signal converter and the application-relatedcomponents,

INT interrupt.

What is claimed is:
 1. A station for a system for the transmission ofdata between a plurality of stations which are connected to one anothervia a common bus, the station including at least the following elementsamicrocontroller, a transmit/receive circuit coupled to saidmicrocontroller and connected to the bus, a timing circuit (watchdog)for the generation of reset signals for the microcontroller, and a firstvoltage regulator,which station can be in a normal mode of operation orin at least one further mode of operation, preferably in a standby mode,wherein under given conditions the watchdog supplies reset signals orinterrupt signals to the microcontroller, in that there has beenprovided at least a second voltage regulator, the first voltageregulator exclusively powering the microcontroller and both voltageregulators being capable of being disabled, in that the number ofpossible modes of operation is limited to given modes of operation bylinking of the control signals of the individual elements, and in thatby linking of the control signals of the individual elementssub-functions of the station, particularly default functions, can be setautonomously without participation of the microcontroller.
 2. A stationas claimed in claim 1,wherein the watchdog and the second voltageregulator are linked to one another in such a manner that the secondvoltage regulator is disabled by a given number of successive resetsignals from the watchdog.
 3. A station as claimed in claim 1,whereinthe watchdog, the two voltage regulators and the transmit/receivecircuit are linked to one another in such a manner that in the absenceof the transmission of data via the bus the two voltage regulators aredisabled by a given number of reset signals.
 4. A station as claimed inclaim 1, in which the second voltage regulator is disabled in thestandby mode,wherein the second voltage regulator is turned on only by atrigger signal from the microcontroller to the watchdog.
 5. A station asclaimed in claim 1, which is in a power-saving mode,wherein instead ofgenerating reset signals the watchdog periodically generates briefturn-on signals for both voltage regulators.
 6. A station as claimed inclaim 1, which is in a power-saving mode,wherein the transmit/receivecircuit autonomously turns on both voltage regulators upon reception ofa wake-up request via the bus.
 7. A station as claimed in claim 1,wherein (underline) the two supply voltages and the transmit/receivecircuit are linked to one another in such a manner that common controlsignals for the individual modes of operation switch all the elements toanother mode of operation only jointly and simultaneously.
 8. A stationas claimed in claim 1, the station including wake-up means for thegeneration of local wake-up requests, wherein (underlined) the watchdog,the transmit/receive circuit and the wake-up means are linked to oneanother in such a manner that the watchdog transmits either an interruptsignal or a reset signal to the microcontroller depending on whether acyclic, a local or a transmitted wake-up request appears and dependingon the mode of operation of the station.